With New Strategy, TSA Still Faces Challenges With IT Modernization Program, GAO Says

More than two years into adopting a new strategy for an information technology (IT) infrastructure program that supports a wide range of security threat assessments and credentialing programs, there are still concerns about how the Transportation Security Administration (TSA) is addressing challenges identified before the strategy change, congressional auditors say.

The agency has addressed four of the seven prior challenges of the Technology Infrastructure Modernization (TIM) program, including those related to system performance and usability, data migration, cyber security testing, and hosting of the system in a Department of Homeland Security data center that has higher than expected costs, the Government Accountability Office (GAO), says in a report issued this week.

TSA PreCheck enrollment center. Photo: TSA

However, the other three challenges still need to be better addressed, including issues with the original commercial-off-the-shelf (COTS) for the TIM’s maritime segment in support of the Transportation Worker Identification Credential program, the addition of new programs such as the PreCheck trusted traveler initiative, and “insufficient stakeholder coordination and communication,” says the Oct. 17 report, TSA Modernization: Use of Sound Program Management and Oversight Practices is Needed to Avoid Repeating Past Problems (GAO-18-46).

The TIM program began in 2008 to help eliminate stovepipes in TSA’s assorted credentialing and access management programs, and improve the security threat assessments. The project was expected to be deployed in 2015 at a cost of $631 million. Schedule delays, cost overruns and technical issues, in part driven by additional requirements such as the addition of PreCheck, led to a new program baseline that pushed the deployment out to 2022 and the estimated costs to over $1.3 billion.

In September 2016 the program was rebaselined again after initial operational testing the year before showed that TIM wasn’t effective, GAO says. The new baseline actually shaved some schedule and cost from the program, with deployment now slated for 2021 and the life-cycle cost estimate at under $1.3 billion. The savings were achieved by replacing the proprietary COTS software with open source code, moving to an agile software development approach instead of a waterfall development, and moving away from the DHS data center to a federally-certified public cloud environment.

On the three challenges that still need addressing, the report says that the move away from COTS applications “has been in a continual state of fluctuation and implementation plans have not been defined,” which it adds, “is contrary to leading practices.”

GAO also says that even though the rebaselined program accommodated PreCheck and the Chemical Facility Anti-Terrorism Standards populations, scheduling plans were unrealistic and that the PreCheck migration deadline is now set for November after missing the May 2017 milestone.

The report also says that TSA is working to improve communication with stakeholders, pointing out that filling positions in a communications team and finalizing action plans.

TSA is responding to GAO’s concerns related to the COTS products, telling the auditors that are working implementation plans for the open source software. However, the agency still isn’t sure it can meet revised schedules for various credentialing and access management programs to migrate to TIM, and doesn’t have a schedule for completing its communication plans, the report says.